Rooting... just getting su? - Hero, G2 Touch General

Hi there...
I'm finally considering rooting, however all the guides lead to flashing a custom rom... but actually I don't want to flash a custom ROM, I want to keep everything as it is, with the difference that I (and preferably only I) can become super user on the shell when I need to do some changes (like fixing the stock widget bug in the internal database).
I've read this right now:
http://forum.xda-developers.com/showthread.php?t=724741
And they say I can flash this files called EngTools.zip
Does this also work on the Hero assuming the guide (PossibleGSMRoot or something... fromt he villainforum) works on my phone?
I don't even want to permanently have some kind of AmonRa blabla recovery boot image on my phone. If I need it while I get root that's fine, but I want to get rid of it afterwards. I really don't need root for any applications liek overclocking etc. etc. just for smaller dives into the files system and changes there via adb.

olafos said:
Hi there...
I'm finally considering rooting, however all the guides lead to flashing a custom rom... but actually I don't want to flash a custom ROM, I want to keep everything as it is, with the difference that I (and preferably only I) can become super user on the shell when I need to do some changes (like fixing the stock widget bug in the internal database).
I've read this right now:
http://forum.xda-developers.com/showthread.php?t=724741
And they say I can flash this files called EngTools.zip
Does this also work on the Hero assuming the guide (PossibleGSMRoot or something... fromt he villainforum) works on my phone?
I don't even want to permanently have some kind of AmonRa blabla recovery boot image on my phone. If I need it while I get root that's fine, but I want to get rid of it afterwards. I really don't need root for any applications liek overclocking etc. etc. just for smaller dives into the files system and changes there via adb.
Click to expand...
Click to collapse
Hmmm. If you are on 2.1, then you can use the GSM root i posted over at VR. The recovery needs to be flashed to the phone though, so you can flash zips to the phone from there.
As for your wish to get rid of the patched recovery afterwards, you're missing out a lot, but if you can find the stock recovery img file, you can simply flash that using
"flash_image recovery FilenameHero.img" via the phone's shell or adb (once rooted, presuming you added the flash_image binary).
As for that file, I don't know, as I've never checked if that will work on the hero.
I'd be inclined to say DON'T TRY IT, since it will contain a kernel, and flashing the wrong kernel can brick your device's radio, essentially ruining it.
But if you locate the correct files for the GSM hero, and package them similarly, you could flash that onto your phone via recovery
Bear in mind the stock HTC ROM is basically full on the system partition, so you might have issues actually fitting the files on.

I've been a lurker for some time here but just before I had thought about exactly the same issue as OP... I always wondered why there's no way to just get root access temporarily. Most people told me I'd have to flash a custom ROM.
So today I finally looked into the matter and based on your (anon2122) post on VillainROM and the Eris exploits etc. I managed to do exactly what I wanted... and thought it's time to get an account...
I only really needed root for the Stock app currency issue: [HTTP]://forum[DOT]xda-developers[DOT]com/showthread[DOT]php?t=719149 which I was now able to fix.
HTC Hero GSM soft root guide by ixampl
(... credits belong to / based on: [HTTP]://www[DOT]villainrom[DOT]co[DOT] uk/viewtopic[DOT]php?f=110&t=2096)
1 Flashing a custom recovery image
1.1 Backup (1)
Code:
adb shell mkdir /data/local/backup
adb shell cat /data/local/rights/mid.txt > /data/local/backup/mid.txt
1.2 Uploading custom recovery image and image flashing tool and setting correct permissions
Code:
adb push recovery-RA-hero-v1.6.2.img /data/local/
adb push flash_image /data/local/
adb shell chmod 777 /data/local/recovery-RA-hero-v1.6.2.img
adb shell chmod 777 /data/local/flash_image
1.3 Center piece of the permissions exploit for the recovery ROM
Code:
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
1.4 Normal reboot
Code:
adb reboot
1.5 Now that the recovery ROM (/dev/mtd/mtd1) is accessible: Backup (2)
Code:
adb shell cat /dev/mtd/mtd1 > /data/local/backup/recovery.img
1.6 Flashing the previously uploaded custom recovery image
Code:
adb shell /data/local/flash_image recovery /data/local/recovery.img
1.7 Rebooting into recovery mode
Code:
adb reboot recovery
2 Adding root shell (optional)
2.1 Mounting all devices
Code:
adb shell mount -a
2.2 Adding rootsh
Code:
adb shell cat /system/bin/sh > /system/bin/rootsh
adb shell chmod 4755 /system/bin/rootsh
2.3 Rebooting into system
Code:
adb reboot
After this you can flash the recovery.img you backed up in step 1.5 just as you flashed in step 1.6 (adjust the parameters accordingly).

ixampl said:
I've been a lurker for some time here but just before I had thought about exactly the same issue as OP... I always wondered why there's no way to just get root access temporarily. Most people told me I'd have to flash a custom ROM.
So today I finally looked into the matter and based on your (anon2122) post on VillainROM and the Eris exploits etc. I managed to do exactly what I wanted... and thought it's time to get an account...
I only really needed root for the Stock app currency issue: [HTTP]://forum[DOT]xda-developers[DOT]com/showthread[DOT]php?t=719149 which I was now able to fix.
HTC Hero GSM soft root guide by ixampl
(... credits belong to / based on: [HTTP]://www[DOT]villainrom[DOT]co[DOT] uk/viewtopic[DOT]php?f=110&t=2096)
1 Flashing a custom recovery image
1.1 Backup (1)
Code:
adb shell mkdir /data/local/backup
adb shell cat /data/local/rights/mid.txt > /data/local/backup/mid.txt
1.2 Uploading custom recovery image and image flashing tool and setting correct permissions
Code:
adb push recovery-RA-hero-v1.6.2.img /data/local/
adb push flash_image /data/local/
adb shell chmod 777 /data/local/recovery-RA-hero-v1.6.2.img
adb shell chmod 777 /data/local/flash_image
1.3 Center piece of the permissions exploit for the recovery ROM
Code:
adb shell ln -s /dev/mtd/mtd1 /data/local/rights/mid.txt
1.4 Normal reboot
Code:
adb reboot
1.5 Now that the recovery ROM (/dev/mtd/mtd1) is accessible: Backup (2)
Code:
adb shell cat /dev/mtd/mtd1 > /data/local/backup/recovery.img
1.6 Flashing the previously uploaded custom recovery image
Code:
adb shell /data/local/flash_image recovery /data/local/recovery.img
1.7 Rebooting into recovery mode
Code:
adb reboot recovery
2 Adding root shell (optional)
2.1 Mounting all devices
Code:
adb shell mount -a
2.2 Adding rootsh
Code:
adb shell cat /system/bin/sh > /system/bin/rootsh
adb shell chmod 4755 /system/bin/rootsh
2.3 Rebooting into system
Code:
adb reboot
After this you can flash the recovery.img you backed up in step 1.5 just as you flashed in step 1.6 (adjust the parameters accordingly).
Click to expand...
Click to collapse
That is a nice method.
I've long thought about making something similar, so maybe today I'll try, as an idea has come back to me...
I am thinking that I can avoid the whole recovery flashing, though I'm not going to say the idea till I've thought it through, as someone might try it before I realise how stupid an idea it is...
But I'll certainly see if it can get permanent root sorted out on the phone, although it won't give root adb access, as that is defined in the boot.img, though I guess I could flash that while I'm at it...
Good work.

Thanks!
Yes, a method to (safely) acquire super user access without flashing anything would be highly appreciated There's a small risk involved with flashing. Granted it usually causes no issues, but there is the slight possibility of bricking your phone.
Good work.
Click to expand...
Click to collapse
Thanks, although - as you know - I really didn't do anything special there
[...] although it won't give root adb access [...]
Click to expand...
Click to collapse
Yes, that's a minor annoyance, but really minor ... for the currency fix I naturally couldn't do
Code:
adb pull /data/data/com.htc.dcs.service.stock/databases/stock.db stock.db
or
Code:
adb push stock.db /data/data/com.htc.dcs.service.stock/databases/stock.db
but it's not that hard to just work around that via /data/local:
Code:
adb shell
$ rootsh
# cat /data/data/com.htc.dcs.service.stock/databases/stock.db > data/local/stock.db
then pull from there etc.
I really think "rooting" is a misnomer for most of the current guides.
I can see that most people "root" their phone in order to get custom ROMs (and I have no issue with that, it's just too much overkill for someone who just wanted to fix a small bug ) but In fact most people don't care about rooting per se, they care about flashing a recovery image which enables them to flash custom ROMs.
I actually wanted to try:
Code:
adb shell ln -s /dev/mtd/mtd3 /data/local/rights/mid.txt
...and see what happens if I remount after boot. If it causes the system to follow back the link with user permissions for the recovery ROM, maybe the system ROM could be (write-)accessed as well. Then again, it was my first venture into rooting so naturally there would have been no way to fix a broken system image safe for reflashing the 1.5 RUU.
Do you have any details about what the original purpose of the (original) mid.txt was? I mean, it was there, sitting in a directory named rights... quite an invitation (of course, we didn't actually "set" rights in that file or anything for the exploit, but still...)
Is it safe to delete mid.txt and will it be recreated with some default values by the system?
Click to expand...
Click to collapse

Related

[Root+ROM+RUU] This will root your TB and install BAMF 1.5nte and the leaked RUU.

All root credit still goes to AndIRC and crew. ​
Rooting The ThunderBolt – Updating The Radio – And Installing BAMF 1.5
From Adrynalyne: This totally awesome wtfomgroflbbq ungodly large PG05IMG.zip contains the latest of everything 1.13.605.7 has to offer plus engineering hboot for s-off, BAMF 1.5, BAMF 4.4.2 kernel, clockwork, and custom boot splash by gadget!
Pros
Root with read/write access to /system
Ability to downgrade and flash any RUU (i.e. signed firmware)
S-OFF
Fully unlocked bootloader
Latest RUU installed
BAMF 1.5nte installed
Cons
Voids warranty
Could brick your phone if you aren’t careful
Its an RUU, IT CAN BREAK YOSELF.....FOO!!!
Its an RUU, IT CAN BREAK YOSELF.....FOO!!!
Its an RUU, IT CAN BREAK YOSELF.....FOO!!!
The method of rooting your Android device as described in the article herein is solely for enthusiasts and not for the faint of heart.
IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA. IT WILL WIPE YOUR DATA.
Android Police and Team AndIRC and Adrynalyne disclaim all liability for any harm that may befall your device, including, but not limited to: bricked phones, voided manufacturer warranties, exploding batteries, etc.
The instructions below assume you already have a strong familiarity with adb command lines – this is not for beginners.
Credits
Adrynalyne for the Custom RUU, BAMF, and Kernel
Scotty2, jamezelle, jcase, and all of Team AndIRC
dsb9938 for writing this, testing, boot ani, and just being an overall great guy
Testers, especially ProTekk and Trident
Gadget for boot splash and ani
Thanks to scotty2 for WPThis
Busybox was pulled from a CyanogenMod ROM, source should be available here
psneuter was pulled from somewhere, credit to scotty2, source here
All firmware credit goes to 911sniper
If I missed anyone in the credits, it was unintentional and I will fix it soon. Lots of people had their hands in on this project.
Please read the instructions in full before you start. Also, make sure your battery is fully charged before taking the plunge.
Step 1
First, download these files:
RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.01 03_2r_NV_8k_1.37_9k_1.52_release_165253 (md5sum : aae974054fc3aed275ba3596480ccd5b) THIS IS THE DOWNGRADE RUU USED IN STEP 4:
Multiupload mirror
GalaxySense mirror
DroidSite mirror
Mirrors for the package (contains busybox, wpthis, psneuter, su, readme.txt, misc.img, and hbooteng.nb0) (md5sum : 3b359efd76aac456ba7fb0d6972de3af) THIS IS THE EXPLOITS FILE:
Multiupload mirror
GalaxySense mirror
DroidSite mirror
BAMF/Leaked RUU mirrors (md5sum : ede0dc842ab676080befe2ae01c74cd3) THIS IS THE CUSTOM RUU USED IN STEP 7:
Single Source
Step 2
Note that adb is required.
Push misc.img, busybox, and psnueter using the following commands:
Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push misc.img /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
Step 3
This step will gain temp root and flash the custom misc.img. Run:
Code:
adb shell
Now the shell should display "$".
Run:
Code:
/data/local/psneuter
You will now be kicked out of adb, and adb will restart as root.
Let’s confirm the md5 of misc.img:
Code:
adb shell
At this point, the shell should display "#".
Now run:
Code:
/data/local/busybox md5sum /data/local/misc.img
Output should be "c88dd947eb3b36eec90503a3525ae0de." If it’s anything else, re-download the file and try again.
Now let’s write misc.img:
Code:
dd if=/data/local/misc.img of=/dev/block/mmcblk0p17
exit
Step 4
Here you will rename the downgrade RUU (RUU_Mecha_VERIZON_WWE_1.03.605.10_Radio_1.02.00.01 03_2r_NV_8k_1.37_9k_1.52_release_165253) as PG05IMG.zip and place it on your SD card (put the phone in drive mode and just copy it with your OS). Then, run the following command:
Code:
adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.
Step 5
Set up the two part exploit, to gain root and unlock MMC.
Push wpthis, busybox, and psnueter:
Code:
adb push psneuter /data/local/
adb push busybox /data/local/
adb push wpthis /data/local/
adb shell chmod 777 /data/local/psneuter
adb shell chmod 777 /data/local/busybox
adb shell chmod 777 /data/local/wpthis
Gain root (this will once again throw you out of adb):
Code:
adb shell
/data/local/psneuter
Unlock MMC:
Code:
adb shell
/data/local/wpthis
exit
Step 6
Please pay attention – this is very important. This step involves a small chance of bricking if you mess up.
To push the eng bootloader:
Code:
adb push hbooteng.nb0 /data/local/
adb shell
/data/local/busybox md5sum /data/local/hbooteng.nb0
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb" exactly, stop, delete it, and re-download it. Otherwise, continue.
Now we will write the new bootloader.
Code:
dd if=/data/local/hbooteng.nb0 of=/dev/block/mmcblk0p18
Confirm proper write:
Code:
/data/local/busybox md5sum /dev/block/mmcblk0p18
If the output does not match "6991368ee2deaf182048a3ed9d3c0fcb," try again; if it still doesn’t work, seek help from http://chat.andirc.net:9090/?channels=#root. DO NOT REBOOT.
Reboot.
Step 7
Now, put the custom leaked RUU (Adrynalyne.1.5.PG05IMG.zip) on your SD card by putting the phone in drive mode and copying it with your OS. Now rename it to PG05IMG.zip.
Then using an md5sum type program, check the md5sum and make sure it matches ede0dc842ab676080befe2ae01c74cd3, if it does not, redownload it. (Here is a free windows md5summer).
Next, run this command:
Code:
adb reboot bootloader
Choose the bootloader option and press power; let the ROM flash. When asked to upgrade, choose yes. Don’t freak, it’s a long reboot.
Once done, reboot and delete PG05IMG.zip from your SD card.
After it flashes, you will be running BAMF 1.5nte with S-OFF on the latest leaked RUU.
Please Note: One of the TP images will be bypassed while flashing, this is normal. Also, on first boot, there will be no boot sound, this is normal.
Please make a nand backup in Rom Manager after you go thorugh phone set up.
Rom Manager, SuperUser, and Titanium Backup are already installed.
ClockWork Recovery 3.0.2.5 is already installed.
If you have problems, come to the chat: irc.andirc.net #root or use http://chat.andirc.net:9090/?channels=#root.
.
"omg, no one-click method!?"
jk, this will be a nice time-saver for those just getting their Thunderbolts. Great job compiling this all into one package!
Sweet!
Nice job! Gotta love how the Android community is always trying to help the non-tech savvy be awesome too.
Sent from a bit of awesomeness...
Great job this will come in handy if I decide to root the wifes phone. Mine has been rooted for a while now.
this isnt working so well for me... flashing the last part and boot failed and its stuck on mdm9k
lllboredlll said:
this isnt working so well for me... flashing the last part and boot failed and its stuck on mdm9k
Click to expand...
Click to collapse
Please post back and let us know how things work out after you get the new phone. Sorry you had to have what I think is a bad nand chip that wouldn't take a flash.
D
dsb9938 said:
Please post back and let us know how things work out after you get the new phone. Sorry you had to have what I think is a bad nand chip that wouldn't take a flash.
D
Click to expand...
Click to collapse
well just for the record ... i hold no one accountable but myself or vzw on this one.... what a weird experience.... all the flashing and modding i've done over the last 5 years or so and I kill this phone right out of the gate... it literally made it 2hrs 45 minutes before i had a funeral for it lol
lllboredlll said:
well just for the record ... i hold no one accountable but myself or vzw on this one.... what a weird experience.... all the flashing and modding i've done over the last 5 years or so and I kill this phone right out of the gate... it literally made it 2hrs 45 minutes before i had a funeral for it lol
Click to expand...
Click to collapse
Thanks. I think we did all we could. Happy to help with the new one.
Sent from my ThunderBAMF using the XDA app.
Thank you for this.. Made ROOTING my wife's phone a breeze!

[ROOT] Telstra from the Latest HC3.1 Update + Unsecured New Boot Image

Hi everyone, I am writing this post because there is currently no information on rooting the Telstra specified Motorola Xoom from the Stock 3.1 and still keeping 3G (the latest 3.1 update, not the problematic one). Since I don't have enough post to be able to write in Development section, I just write it over here and I take no credit for this.
With this root, you don't have to flash any custom recovery at all.
1/. Ensure that you have the Motorola Xoom STOCK 3.1, N_01.83.35P, H.6.3-25-5 or you can move back to stock, flash everyback from
developer.motorola.com/products/software/MZ601_H.6.1-38-9_Telstra_Australia.zip/
and receive the official OTA update.
2/. Ensure that you have already UNLOCKED your Motorola Xoom bootloader. This will wipe your device out so be very careful.
3/. Download the attachment file to this thread, which contain the new unsecured boot, su and superuser.apk file
4/. Enable USB Debugging on your Xoom
5/. Open command prompt, write the following code:
Code:
adb reboot bootloader
6/. Now your AU Xoom will reboot, continue to type this:
Code:
fastboot flash boot newtelstraboot.img
fastboot reboot
7/. Wait for your AU Xoom to reboot to HC. Open your command prompt, type this:
Code:
adb remount
adb shell su /system/bin
adb shell ln –s /system/bin/su /system/xbin/su
adb shell chmod 4755 /system/bin/su
adb push Superuser.apk /system/app
Now you got root on your Australian Xoom from Telstra with working 3G.
Cheers
Screenshots:
img638.imageshack.us/img638/1516/screenshot1ew.png
img21.imageshack.us/img21/1907/screenshot2ck.png
Shouldn't be Step 7 more like ->
Step 6
Code:
fastboot flash boot newtelstraboot.img
fastboot reboot
Step 7
Code:
adb remount
adb push su /system/bin/su
adb shell chmod 4755 /system/bin/su
adb shell ln -s /system/bin/su /system/xbin/su
adb push Superuser.apk /system/app/
adb reboot
BTW: it should be called Non-US Xoom instead of AU Xoom
Oh, thks,
There are something I want to say though:
First, I don't think you should really need a reboot at the end of step 7. It works for me without the need to reboot.
Secondly, I'm not quite sure if my procedure works with other non-AU xoom. I have just been able to test on 3 Australian Telstra Xooms. At least they all work!
However, I'm new so I am willing to learn from you all. Thanks.

[Q] CWM ADB Shell All Commands Permission Denied

Greetings,
I'm new here, and can't get over to the developers forums to ask. I have two GT-I9500s for development purposes, one if full of junk, and the other is still stock, except for recovery. They both have CWM Recovery v6.0.3.2, the latest available pre-compiled I've found. The stock phone has only been booted once. That system is not rooted (and this is my whole point, I want as close to stock as possible)
I am attempting to extract the system image from Stock I9500. I have booted into CWM Recovery mode, then "adb shell" into the device. All commands I issue to the shell return "Permission Denied"
Code:
:$ adb shell
~ $ ls
/sbin/sh: ls: Permission denied
~ $ dd of=/storage/extSdCard/SYSTEM.img if=/dev/block/mmcblk0p20 bs=4069
/sbin/sh: dd: Permission denied
~ $ su
/sbin/sh: su: Permission denied
~ $ sudo su
/sbin/sh: sudo: Permission denied
I have tried to use Advanced->Fix Permissions to no avail.
CWM is pure and latest from www dot clockworkmod dot com slash rommanager (new users apparently cannot post links). CWM is able successfully operate "Backup to External" from the stock device.
The end goal is to clone the clean, stock device onto the other one. CWM claims success on "Restore from External" to the other device, but it sits on the "Samsung" loading screen forever.
A solution to either or both of these problems would be appreciated.
This was accidentally posted to General a few minutes ago, but as a new user, I don't have the ability to delete it.
-MM
You need to boot the device and then connect it to adb. Then you get a popup on your phone to allow your pc. After that you can use adb from cwm.
Lennyz1988 said:
You need to boot the device and then connect it to adb. Then you get a popup on your phone to allow your pc. After that you can use adb from cwm.
Click to expand...
Click to collapse
I booted into android, connected it to Ubuntu, enabled ADB, authorized the device, chose to remember the device, then "adb shell" into the phone. I can LS and CD around.
I rebooted into CWM Recovery, did "adb shell" and still cannot execute LS. CD works but that is bash internal not a program. Other programs are still "Permission Denied"
I am not that an expert of adb, but couldn't that be caused by the fact that you are not rooted?
Lennyz1988 said:
I am not that an expert of adb, but couldn't that be caused by the fact that you are not rooted?
Click to expand...
Click to collapse
You're conflating the environments. CWMis inherently rooted; when in recovery, Android is never booted. I have execute permission in Android, not in CWM.
nvm
As resolution to my problem, I never did fix Clockwork Mod. Instead, I flashed TWRP for the I9500 and it allows me to execute
Code:
adb shell su -c ...

Please Help! Rooted then lost, and now anti-rollback is stopping me from going back!

Ok, so I got TWRP on the phone then I used Flash Fire to try and get Android 7 while maintaining custom recovery (and even was supposed to inject SuperSU. It went and did it's thing and on boot I saw SuperSU on phone so I thought hey I am good sweet. HA, Well open it and it said can't find binary, ut oh. I go to manually boot recovery and it wipes user data instead so I lost TWRP.
Well Ok, I thought. Let me LG UP the modified TOT and select refurb to just get me back to Marshmellow with TWRP and try again. YEAH RIGHT. Looks like the Android 7 update blows another qfuse and now LG UP just states anti rollback version is smaller than installed.
I WANT ROOT I PAID FOR THIS THING IN FULL WHY IS IT SOO HARD FOR MANUFACTURERS TO ALLOW ME ACCESS TO MY OWN HARDWARE. When I buy a computer with an OS they don't give me a user only level account and tell me it is for my own good. They allow me to do whatever I WANT because you know why I BOUGHT THE HARDWARE IN FULL AND the supreme court has said no subsidy locks allowed as when a user buys a device it is theirs not yours. I feel this is another version of a subsidy lock at the rate we are going and I can't wait until someone with the time and money sues an OEM and wins us the right to not jump through all these damn hoops to be allowed to do what we wish with the hardware we buy IN FULL NOW.
Ok, rant over, Anyone out there know of a way to root android 7 on the H830? I dunno if a dev could maybe mod up a 20a image so that we can LGUP it to the H830s that have Android 7 and need root.
@RealPariah here ya go follow this Thanks to @godfather123189 for finding these instructions:
i can confirm dirtycow worked for me to reflash twrp. you have to make sure to have the newest version of twrp.img. i was also able to root 20a with the newest supersu.zip.
i will try going back to 10j nandroid i had made before i upgraded to 20a
download all the files from here:
https://build.nethunter.com/android-tools/dirtycow/arm64/
and follow these instructions:
**pushing files**
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp.img /sdcard/twrp.img
**end pushing files**
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
5) ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
6) exit
7) adb logcat -s recowvery
"<wait for it to tell you it was successful>"
8) CTRL+C
9) adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
10) adb shell
11) getenforce
"<it should say Permissive, adjust source and build for your device!>"
12) cd /data/local/tmp
13) ./dirtycow /system/bin/run-as recowvery-run-as
14) run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
15) run-as su
16) dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
Well you arent alone. And I agree , I fully own my device and I think I should be able to do what ever the living F*&% I want with it .
Its only a question of time though,these guys are the best there are at cracking through companies 'efforts at locking us out of our own shiznat....in the meantime setup the stuff you can without ROOT (no Titanium Backup....*sniff) LOL.
Before long we'll wake up and see TWRP attached to the ROM like before and all will be well. Cheers
OK after 2 days of attempting this without even wrapping my head around the idea of how to access /data/local/temp without being rooted to begin with I hereby surrender :crying:
Thanks for posting this for dayum sure, I only wish I was a more proficient SDK user as to be able to utilize it.
I mean Im fully versed in the very basics of Fastboot/ADB as a long time Nexus user.Push,pull flashing recoveries and the other relatively easy stuff.But I cant get this worth a crap .....
Thanks guys
Jonathanpeyton said:
OK after 2 days of attempting this without even wrapping my head around the idea of how to access /data/local/temp without being rooted to begin with I hereby surrender :crying:
Thanks for posting this for dayum sure, I only wish I was a more proficient SDK user as to be able to utilize it.
I mean Im fully versed in the very basics of Fastboot/ADB as a long time Nexus user.Push,pull flashing recoveries and the other relatively easy stuff.But I cant get this worth a crap .....
Thanks guys
Click to expand...
Click to collapse
I struggled with it at first I would be glad to assist I'm not at home but when I get home and can access my desktop I would be glad to try to explain it better.
---------- Post added at 06:45 AM ---------- Previous post was at 06:12 AM ----------
Jonathanpeyton said:
OK after 2 days of attempting this without even wrapping my head around the idea of how to access /data/local/temp without being rooted to begin with I hereby surrender :crying:
Thanks for posting this for dayum sure, I only wish I was a more proficient SDK user as to be able to utilize it.
I mean Im fully versed in the very basics of Fastboot/ADB as a long time Nexus user.Push,pull flashing recoveries and the other relatively easy stuff.But I cant get this worth a crap .....
Thanks guys
Click to expand...
Click to collapse
OK here goes my best attempt at explaining it, you need to have your phone turned on with Android debugging turned on as well plug your phone into the pc and then accept the request from adb to access the device. Then start running the adb commands starting with the ones under ***pushing files*** then start following the steps 1-16. Let me know if you have any more questions or something you don't understand. Hopefully this was helpful. P.S. I also had all of the downloaded files inside my adb folder and opened the command window from that folder.
shaneg79 said:
@RealPariah here ya go follow this Thanks to @godfather123189 for finding these instructions:
i can confirm dirtycow worked for me to reflash twrp. you have to make sure to have the newest version of twrp.img. i was also able to root 20a with the newest supersu.zip.
i will try going back to 10j nandroid i had made before i upgraded to 20a
download all the files from here:
https://build.nethunter.com/android-tools/dirtycow/arm64/
and follow these instructions:
**pushing files**
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp.img /sdcard/twrp.img
**end pushing files**
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
5) ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
6) exit
7) adb logcat -s recowvery
"<wait for it to tell you it was successful>"
8) CTRL+C
9) adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
10) adb shell
11) getenforce
"<it should say Permissive, adjust source and build for your device!>"
12) cd /data/local/tmp
13) ./dirtycow /system/bin/run-as recowvery-run-as
14) run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
15) run-as su
16) dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
Click to expand...
Click to collapse
This worked great! Thank you! After TWRP was flashed via steps above I just followed the video I linked below from the 8:20 mark and formatted data and then flashed dmverify encrypt and super su (both downloads in vid) and now I'm back to rooted on 7.0 nougat with TWRP and supersu!
Go dirtycow!
Thank you shaneG79 and Genardas this made all the difference!
so An Instruction List ,a Thoughtfully Worded Explanation and You Tube Video are worth a 1000 words
shaneg79 said:
I struggled with it at first I would be glad to assist I'm not at home but when I get home and can access my desktop I would be glad to try to explain it better.
---------- Post added at 06:45 AM ---------- Previous post was at 06:12 AM ----------
OK here goes my best attempt at explaining it, you need to have your phone turned on with Android debugging turned on as well plug your phone into the pc and then accept the request from adb to access the device. Then start running the adb commands starting with the ones under ***pushing files*** then start following the steps 1-16. Let me know if you have any more questions or something you don't understand. Hopefully this was helpful. P.S. I also had all of the downloaded files inside my adb folder and opened the command window from that folder.
Click to expand...
Click to collapse
Any Idea why Im still getting a "permission denied" affter my chmod 0777* here?
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
that seems to throw it all out of wack..
Jonathanpeyton said:
Any Idea why Im still getting a "permission denied" affter my chmod 0777* here?
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
that seems to throw it all out of wack..
Click to expand...
Click to collapse
I think there may be a space between the last 7 and the * I can't be sure though because I copy and pasted it into the adb window
shaneg79 said:
I think there may be a space between the last 7 and the * I can't be sure though because I copy and pasted it into the adb window
Click to expand...
Click to collapse
I think you may be right,and as I am copy pasting now Ive been been able to get past it.
I still was able to get root last night with it but was denied access to data in the end so I had to go back.Thank you!
when you finally get to "adb shell reboot recovery" did yours boot to the Firmware Update page? or to something else....mine repeatedly goes to Firmware update then of course isnt seen by adb anymore and no recovery is ever flashed I dont think..
Jonathanpeyton said:
when you finally get to "adb shell reboot recovery" did yours boot to the Firmware Update page? or to something else....mine repeatedly goes to Firmware update then of course isnt seen by adb anymore and no recovery is ever flashed I dont think..
Click to expand...
Click to collapse
No mine rebooted and I finished the rest of the steps I would try going through the steps again and copy and paste everything into adb window. I think in order for twrp to be flashed you have to finish all 16 steps.
shaneg79 said:
No mine rebooted and I finished the rest of the steps I would try going through the steps again and copy and paste everything into adb window. I think in order for twrp to be flashed you have to finish all 16 steps.
Click to expand...
Click to collapse
Roger will do thank you!
nah its no good.No matter what it will only go to that Firmware page.All the commands are correct.It must be something in my setup itself.
I had wondererd am I supposed to leave the cable in for the entirety of the 16 steps (which I have done)?
Jonathanpeyton said:
nah its no good.No matter what it will only go to that Firmware page.All the commands are correct.It must be something in my setup itself.
I had wondererd am I supposed to leave the cable in for the entirety of the 16 steps (which I have done)?
Click to expand...
Click to collapse
Yes I did, you might try using lg up and reflashing 20a and then trying again.
OK I went full on fresh as possible all installs.
Uninstalled reinstalled all drivers/ utils (Uppercut,LGUP ect.)
Copied all instructions to a separate file to ease copying
all before taking your advice (which I thought sounded like the right direction to go) and reflashing 20a.KMZ in LGUP.
Still the result is the same,step 9 (reboot to recovery) leads only to the Firmware Update screen ~~~~~> https://drive.google.com/open?id=0B03a0JRwWhkwX1RQdmlSRmh5c0U AND https://drive.google.com/open?id=0B03a0JRwWhkwT0lMNEViNGIxWkE
Also I want to mention, when I try to directly copy the chmod as is (0777 *) I get a permission denied so Ive been changing it to 0777* (no space between the asterisk [regex] and the last 7) which seems to work as I am able to continue entering code....
man and I thought Samsung devices were a pain to root lol.
Thanks so much for all the help so far Im usually not this much trouble....
Jonathanpeyton said:
OK I went full on fresh as possible all installs.
Uninstalled reinstalled all drivers/ utils (Uppercut,LGUP ect.)
Copied all instructions to a separate file to ease copying
all before taking your advice (which I thought sounded like the right direction to go) and reflashing 20a.KMZ in LGUP.
Still the result is the same,step 9 (reboot to recovery) leads only to the Firmware Update screen ~~~~~> https://drive.google.com/open?id=0B03a0JRwWhkwX1RQdmlSRmh5c0U AND https://drive.google.com/open?id=0B03a0JRwWhkwT0lMNEViNGIxWkE
Also I want to mention, when I try to directly copy the chmod as is (0777 *) I get a permission denied so Ive been changing it to 0777* (no space between the asterisk [regex] and the last 7) which seems to work as I am able to continue entering code....
man and I thought Samsung devices were a pain to root lol.
Thanks so much for all the help so far Im usually not this much trouble....
Click to expand...
Click to collapse
You're not being any trouble I just wish I knew why yours isn't working correctly
ok update..... I used the devices internal settings to do a factory reset then reinstalled 20a.THAT made it to where I am now able to grant the proper permissions to /data/local/tmp.However,I still wind up at the Firmware Update page after >adb shell reboot recovery instead of the recovery screen or just a reboot....but I guess its small progress.
shaneg79 said:
@RealPariah here ya go follow this Thanks to @godfather123189 for finding these instructions:
i can confirm dirtycow worked for me to reflash twrp. you have to make sure to have the newest version of twrp.img. i was also able to root 20a with the newest supersu.zip.
i will try going back to 10j nandroid i had made before i upgraded to 20a
download all the files from here:
https://build.nethunter.com/android-tools/dirtycow/arm64/
and follow these instructions:
**pushing files**
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb push twrp.img /sdcard/twrp.img
**end pushing files**
1) adb shell
2) cd /data/local/tmp
3) chmod 0777 *
4) ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
5) ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
6) exit
7) adb logcat -s recowvery
"<wait for it to tell you it was successful>"
8) CTRL+C
9) adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
10) adb shell
11) getenforce
"<it should say Permissive, adjust source and build for your device!>"
12) cd /data/local/tmp
13) ./dirtycow /system/bin/run-as recowvery-run-as
14) run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
15) run-as su
16) dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
Click to expand...
Click to collapse
Thank you so much... And whom ever is behind this I anyway... One word... Genius... Simply Genius.. Well that was 2 words
Accidental double post see next post, my bad...
Accidental double post

Help! Two Bricked V20s! H918

So I have two v20s with 10d firmware.
I have followed Github's instruction to root the phones. Which are as follows:
Building:
lunch your_device-eng
make -j5 dirtycow recowvery-applypatch recowvery-app_process recowvery-run-as
Running:
Note: Use app_process32 on 32-bit targets.
adb push dirtycow /data/local/tmp
adb push recowvery-applypatch /data/local/tmp
adb push recowvery-app_process64 /data/local/tmp
adb push recowvery-run-as /data/local/tmp
adb shell
$ cd /data/local/tmp
$ chmod 0777 *
$ ./dirtycow /system/bin/applypatch recowvery-applypatch
"<wait for completion>"
$ ./dirtycow /system/bin/app_process64 recowvery-app_process64
"<wait for completion, your phone will look like it's crashing>"
$ exit
adb logcat -s recowvery
"<wait for it to tell you it was successful>"
"[CTRL+C]"
adb shell reboot recovery
"<wait for phone to boot up again, your recovery will be reflashed to stock>"
adb shell
$ getenforce
"<it should say Permissive, adjust source and build for your device!>"
$ cd /data/local/tmp
$ ./dirtycow /system/bin/run-as recowvery-run-as
$ run-as exec ./recowvery-applypatch boot
"<wait for it to flash your boot image this time>"
$ run-as su
#
"<play around in your somewhat limited root shell full of possibilities>"
From your root shell, it's possible to use commands such as:
dd if=/sdcard/twrp.img of=/dev/block/bootdevice/by-name/recovery
Now, first phone I was able to get TWRP however when I rebot the phone to recovery, it would ask me for password. It would not instal super user without the password. It would be read only. When I reset the phone, it went into infamous recovery bootloop. It would only boot to TWRP.
Second phone I have got to as far as getenforce however it says enforcing instead of permissive.
Now I am sure what to do next and I am stuck with two bricked? phone.
I have been trying to find firmware 10d but I could not find it. Only 10i or 10j were found. Do I restore it to stock then re-root? What would be best solutions for me? Thanks in advance.
Edit: I am reading several threads and I do see same symptoms but no solutions were posted later. So I dont know what were done to fix it. I just don't what to do next at this point.
sharpeyedman said:
The 1st one that is asking for password is because you have not FORMATTED DATA
this is required for twrp to be able to read the entire phone as it was encrypted by lg.
FORMAT DATA OPTION requires you to type YES if you haven't done that it needs done,
after flash a stock rom and reboot. Usually 1st boot is 10-20 min wait time for it to setup.
This is covered on the main thread that it must be done to resolve.
If you get boot loops, put the device into fastboot ,
wipe /fota , /misc , /cache and /etc using
fastboot erase fota replace "fota" with each directory.
Furthermore, you can also wipe "system" and "data" also but you will have to flash rom again if you wipe those 2.
as well there has been some devices that wouldn't boot or booted 10x slower, and the resolution was to
push a alternate boot.img to the device that was not the engineering/debug image.
For the 2nd one, you've not provided enough info.
What software version are you on?
as well you may need to post in the root/unlock page for direct assistance to the process on this one.
.......
Click to expand...
Click to collapse
Team DevDigitel said:
sharpeyedman said:
The 1st one that is asking for password is because you have not FORMATTED DATA
this is required for twrp to be able to read the entire phone as it was encrypted by lg.
FORMAT DATA OPTION requires you to type YES if you haven't done that it needs done,
after flash a stock rom and reboot. Usually 1st boot is 10-20 min wait time for it to setup.
This is covered on the main thread that it must be done to resolve.
If you get boot loops, put the device into fastboot ,
wipe /fota , /misc , /cache and /etc using
fastboot erase fota replace "fota" with each directory.
Furthermore, you can also wipe "system" and "data" also but you will have to flash rom again if you wipe those 2.
as well there has been some devices that wouldn't boot or booted 10x slower, and the resolution was to
push a alternate boot.img to the device that was not the engineering/debug image.
For the 2nd one, you've not provided enough info.
What software version are you on?
as well you may need to post in the root/unlock page for direct assistance to the process on this one.
.......
Click to expand...
Click to collapse
Both are on 10d stock firmware. When I run getenforce then it prompts me with "enforcing". Instead of "permissive". Now when I ignore the prompt and proceed further, it later would not let me install new recovery or TWRP. So I cannot boot to customer recovery it TWRP. If I retry the procedures all over from the beginning then it would not run chmod 0777 *. It would say not granted or permitted. What should I do with the second phone? Thanks so much for your help.
Click to expand...
Click to collapse
sharpeyedman said:
Team DevDigitel said:
Both are on 10d stock firmware. When I run getenforce then it prompts me with "enforcing". Instead of "permissive". Now when I ignore the prompt and proceed further, it later would not let me install new recovery or TWRP. So I cannot boot to customer recovery it TWRP. If I retry the procedures all over from the beginning then it would not run chmod 0777 *. It would say not granted or permitted. What should I do with the second phone? Thanks so much for your help.
Click to expand...
Click to collapse
i dont know, post this one in other page
Click to expand...
Click to collapse

Categories

Resources